# VPS Tunnel Anti-GFW + Privacy Shield **Objectif** : Contourner le Great Firewall (GFW) + Chiffrer tout le trafic personnel contre surveillance **Contexte** : Shanghai, Chine - Besoin d'accès libre + confidentialité totale **Contrainte** : Doit être **indétectable** par DPI (Deep Packet Inspection) du GFW --- ## Stack Technique Recommandée ### Option 1 : WireGuard + Obfuscation (Meilleur rapport performance/sécurité) **Pourquoi WireGuard** : - Chiffrement moderne (ChaCha20, Curve25519) - Performance native (kernel-level) - Footprint minimal (4000 lignes de code vs 400k OpenVPN) - **Problème** : Facilement détectable par DPI du GFW (pattern UDP reconnaissable) **Solution : Obfuscation Layer** #### A. WireGuard + obfs4proxy (Tor obfuscation) ```bash # Architecture Client → obfs4proxy → WireGuard → VPS → Internet ``` - obfs4 rend le trafic indistinguable du HTTPS aléatoire - Utilisé par Tor, testé en Chine - Ajoute ~10-20ms latence #### B. WireGuard + Shadowsocks (Simple, efficace Chine) ```bash # Architecture Client → Shadowsocks → WireGuard → VPS → Internet ``` - Shadowsocks spécifiquement conçu anti-GFW - Chiffrement AEAD (ChaCha20-IETF-Poly1305) - Très répandu en Chine = updates constantes contre nouvelles détections ### Option 2 : V2Ray + VMess/VLESS (Gold standard Chine) **Pourquoi V2Ray** : - **Conçu pour la Chine** (créé par des devs chinois) - Multi-protocoles (VMess, VLESS, Trojan) - Camouflage en trafic HTTPS légitime - WebSocket + TLS + CDN (Cloudflare) = presque indétectable **Config recommandée** : ``` Client → V2Ray (VLESS+TLS+WebSocket) → Cloudflare CDN → VPS → Internet ``` **Avantages** : - Trafic ressemble à visite site web normal - Cloudflare en front = impossible de bloquer IP VPS - Rotation IPs automatique via CDN - Résiste aux blocages actifs GFW --- ## Choix VPS ### Critères essentiels 1. **Juridiction hors 14-Eyes** (Éviter US, UK, EU) 2. **Performance Chine** : Latence <150ms vers Shanghai 3. **Bande passante illimitée** ou minimum 2TB/mois 4. **No-logs policy crédible** 5. **Paiement anonyme** (crypto si possible) ### Recommandations #### Tier 1 : Performance + Privacy (Cher) - **Njalla** (Nevis, Caribbean) - $15/mois - Crypto OK - Anonymat maximal - **1984 Hosting** (Islande) - $10/mois - Privacy-focused - GDPR+ protections - **FlokiNET** (Roumanie/Islande) - $6/mois - Anti-censure stance - Crypto OK #### Tier 2 : Budget + Performance (Bon rapport) - **Linode Tokyo** - $5/mois - 60-80ms vers Shanghai - Solide - **Vultr Tokyo/Seoul** - $6/mois - 50-70ms - Snapshots gratuits - **DigitalOcean Singapore** - $6/mois - 70-90ms - Simple setup #### Tier 3 : Maximum Privacy (Latence acceptable) - **Mullvad** (Suède, pas de VPS mais VPN) - €5/mois - NO LOGS prouvé - Cash/crypto - **IVPN** (Gibraltar) - $6/mois - Audits indépendants - WireGuard natif **Choix optimal Alexis** : - **Primary** : Vultr Tokyo (performance) + V2Ray + Cloudflare - **Backup** : Njalla (privacy paranoia) + WireGuard + obfs4 --- ## Architecture Complète ### Layer 1 : VPS Setup ```bash # Ubuntu 22.04 LTS (Tokyo) apt update && apt upgrade -y apt install -y curl wget git ufw fail2ban # Hardening basique ufw default deny incoming ufw default allow outgoing ufw allow 22/tcp # SSH (changer port après) ufw allow 443/tcp # HTTPS (V2Ray) ufw enable # Disable SSH password auth sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config systemctl restart sshd ``` ### Layer 2 : V2Ray + TLS + WebSocket ```bash # Install V2Ray bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh) # Install Caddy (auto HTTPS) curl https://getcaddy.com | bash -s personal # Config V2Ray (VLESS + TLS) # /usr/local/etc/v2ray/config.json { "inbounds": [{ "port": 10000, "protocol": "vless", "settings": { "clients": [{ "id": "UUID_HERE", # uuidgen "level": 0 }], "decryption": "none" }, "streamSettings": { "network": "ws", "wsSettings": { "path": "/your-secret-path" } } }], "outbounds": [{ "protocol": "freedom", "settings": {} }] } # Caddy config (reverse proxy + TLS) # /etc/caddy/Caddyfile yourdomain.com { reverse_proxy /your-secret-path localhost:10000 # Fake website content pour masquerade root * /var/www/html file_server } ``` ### Layer 3 : Cloudflare CDN (Optional, max stealth) 1. Domaine → Cloudflare DNS 2. A record : yourdomain.com → VPS IP 3. Enable Cloudflare proxy (orange cloud) 4. SSL/TLS : Full (strict) 5. Client se connecte à Cloudflare, Cloudflare forward à VPS **Résultat** : GFW voit connexion HTTPS Cloudflare (impossible bloquer sans casser tout internet chinois) ### Layer 4 : Client Setup #### Windows - **V2RayN** : GUI simple, config QR code - **Clash for Windows** : Plus features, metriques #### macOS - **V2RayU** : Native, simple - **ClashX Pro** : Feature-rich #### Linux - **V2Ray core** : CLI - **Qv2ray** : GUI Qt #### Mobile - **V2RayNG** (Android) - **Shadowrocket** (iOS, $2.99) --- ## Configuration Client (V2RayN exemple) ```json { "address": "yourdomain.com", "port": 443, "id": "UUID_HERE", "security": "tls", "network": "ws", "wsPath": "/your-secret-path", "sni": "yourdomain.com" } ``` **Import** : Serveur → Scan QR code → Connect --- ## Privacy Hardening ### DNS Leak Prevention ```bash # Sur VPS, installer DNS over HTTPS apt install dnscrypt-proxy -y # Config /etc/dnscrypt-proxy/dnscrypt-proxy.toml server_names = ['cloudflare', 'quad9'] require_dnssec = true require_nofilter = true ``` ### Kill Switch (Client-side) - **Windows** : Network adapter binding priority - **macOS** : pf rules - **Linux** : iptables rules ```bash # Linux kill switch (allow only V2Ray traffic) iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -d your-vps-ip -j ACCEPT iptables -A OUTPUT -j DROP ``` ### Traffic Analysis Protection - **Sur VPS** : Activer BBR (TCP congestion control) ```bash echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf sysctl -p ``` - **Client** : Fake traffic generation (rend timing analysis difficile) ### Log Purge ```bash # Cron job VPS (daily) 0 3 * * * find /var/log -type f -name "*.log" -mtime +1 -delete 0 3 * * * journalctl --vacuum-time=1d ``` --- ## Monitoring & Maintenance ### Status Check Script ```bash #!/bin/bash # /root/check_tunnel.sh # Check V2Ray running if ! systemctl is-active --quiet v2ray; then systemctl restart v2ray echo "V2Ray restarted at $(date)" >> /var/log/tunnel_monitor.log fi # Check Caddy running if ! systemctl is-active --quiet caddy; then systemctl restart caddy echo "Caddy restarted at $(date)" >> /var/log/tunnel_monitor.log fi # Test connectivity if ! curl -s https://www.google.com > /dev/null; then echo "WARNING: Outbound connectivity issue at $(date)" >> /var/log/tunnel_monitor.log fi ``` Cron : `*/5 * * * * /root/check_tunnel.sh` ### Bandwidth Monitoring ```bash # vnstat pour tracking usage apt install vnstat -y systemctl enable vnstat systemctl start vnstat # Check usage vnstat -m # Monthly vnstat -d # Daily ``` ### Performance Testing ```bash # Sur client, tester latence/throughput ping -c 10 yourdomain.com curl -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000 ``` --- ## Backup & Disaster Recovery ### Config Backup ```bash # Backup VPS config tar -czf v2ray_backup_$(date +%F).tar.gz \ /usr/local/etc/v2ray/ \ /etc/caddy/ \ /etc/systemd/system/v2ray.service \ /etc/systemd/system/caddy.service # Download local scp root@vps:/root/v2ray_backup_*.tar.gz ~/backups/ ``` ### Fallback Servers - Configurer 2-3 VPS secondaires (différents providers) - Client V2Ray supporte multiple servers avec auto-failover - Subscription link pour update config automatique --- ## Coûts Estimés ### Setup Minimal (Performance focus) - VPS Vultr Tokyo : $6/mois - Domaine .com : $12/an = $1/mois - Cloudflare : Free - **Total** : ~$7/mois ### Setup Paranoia (Privacy max) - VPS Njalla : $15/mois - Domaine privacy : $15/an = $1.25/mois - Backup VPS (Vultr) : $6/mois - **Total** : ~$22/mois --- ## Roadmap Déploiement ### Phase 1 : Basic Setup (1 jour) - [ ] Choisir VPS provider + créer instance - [ ] Setup domaine + DNS - [ ] Installer V2Ray + Caddy - [ ] Config basique VLESS+WS+TLS - [ ] Test connexion client ### Phase 2 : Hardening (1 jour) - [ ] Cloudflare CDN setup - [ ] DNS leak prevention - [ ] Kill switch client - [ ] Firewall rules strictes - [ ] Monitoring scripts ### Phase 3 : Optimization (ongoing) - [ ] BBR activation - [ ] Performance tuning - [ ] Backup VPS setup - [ ] Auto-update scripts - [ ] Bandwidth optimization --- ## Red Flags & Troubleshooting ### GFW Detection Signs - Connexion marche puis drop soudain après 5-10min → **Active probing** - Solution : Change port, add fake website content - Latence spike régulier → **QoS throttling** - Solution : CDN + protocol obfuscation - Blocage total IP VPS → **IP blacklist** - Solution : Change VPS IP ou migrate Cloudflare ### Performance Issues - Latence >200ms → VPS location problem - Throughput <5Mbps → Bandwidth throttling ou VPS oversold - Packet loss >5% → Route optimization needed (consider BGP tunneling) ### Privacy Leaks - DNS leaks → Check via dnsleaktest.com - WebRTC leaks → Disable in browser - IPv6 leaks → Disable IPv6 if VPS no support --- ## Questions Ouvertes 1. **Budget max** : $10/mois ou budget illimité si privacy vaut le coup ? 2. **Usage primaire** : - Browsing général + social media ? - Streaming (Netflix, YouTube) ? - Gaming ? - Torrenting ? 3. **Devices** : Combien ? (PC, phone, tablet ?) 4. **Famille** : Tingting aussi ? → Multi-user setup needed 5. **Paranoia level** : - "Je veux juste contourner GFW" → V2Ray suffit - "Je veux que PERSONNE voit mon trafic" → Add encryption layers --- ## Next Steps Dis-moi : 1. Quel niveau de privacy tu vises (1-10) ? 2. Budget monthly acceptable ? 3. Tingting utilise aussi ? 4. Usage principal (browsing, streaming, gaming, all) ? Et je te fais un setup script complet clé en main.